---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerability in Citrix Products'
version: '1.6'
number: '2020-002'
date: 'February 3, 2020'
---

_History:_

* _13/01/2020 --- v1.0 -- Initial publication_
* _14/01/2020 --- v1.1 -- Updated with risks associated with common Cloud Services_
* _15/01/2020 --- v1.2 -- Updated with guidelines for investigating affected systems_
* _16/01/2020 --- v1.3 -- Updated with additional affected products and versions_
* _20/01/2020 --- v1.4 -- Updated with information about some patches available_
* _24/01/2020 --- v1.5 -- Updated with additional detection tools and more patches available_
* _03/03/2020 --- v1.6 -- Updated with additional investigation guidelines_

# Summary

A critical vulnerability affecting Citrix products has been disclosed in December 2019 [1]. The vulnerability, identified as CVE-2019-19781, could allow an attacker to get access to the internal network without requiring authentication. Numerous exploits to leverage this vulnerability have been publicly released [6, 7, 8]. **As of 24/01/2020 all patches are available, but an investigation of potential compromises is advised.**

# Technical Details

The affected Citrix products fail to restrict access to Perl scripts using directory traversal [2]. A remote attacker could provide crafted contents to these scripts without being authenticated. This results in an **arbitrary code execution** [5].

# Products Affected

This vulnerability affects the following products [5]:

* Citrix ADC and Citrix Gateway version 13.0 all supported builds
* Citrix ADC and NetScaler Gateway version 12.1 all supported builds
* Citrix ADC and NetScaler Gateway version 12.0 all supported builds
* Citrix ADC and NetScaler Gateway version 11.1 all supported builds
* Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
* Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000,  and 5100 all supported builds

# Recommendations

Permanent fixes for the affected products are now available [11, 13]. It is recommended to patch as soon as possible. These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated [11]. In addition, it is advised to change the default root password of these appliances as it seems to be easily retrievable [9].

Where patching is not possible, Citrix has provided some steps to mitigate the problem [4, 5, 6]. It is highly recommended to mitigate this vulnerability followings the steps provided by Citrix, and then patch as soon as possible.

When investigating potential compromised Citrix installation, the CVE-2019-19781 DFIR Notes in [10] may be used as a guideline. Also, FireEye has published a scanner that can help in detecting compromised systems [12, 13]. Additionally, US-CERT has also published an investigation guidelines that should help in detecting potential compromises that could have happened before the mitigations or patches were applied [14].

# References

[1] <https://www.bleepingcomputer.com/news/security/critical-citrix-flaw-may-expose-thousands-of-firms-to-attacks/>

[2] <https://www.kb.cert.org/vuls/id/619785/>

[3] <https://support.citrix.com/article/CTX267679>

[4] <https://support.citrix.com/user/alerts>

[5] <https://support.citrix.com/article/CTX267027>

[6] <https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/>

[7] <https://github.com/projectzeroindia/CVE-2019-19781>

[8] <https://github.com/cisagov/check-cve-2019-19781>

[9] <https://twitter.com/KevTheHermit/status/1216318333219491840>

[10] <https://x1sec.com/CVE-2019-19781-DFIR>

[11] <https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>

[12] <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/>

[13] <https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>

[14] <https://www.us-cert.gov/ncas/alerts/aa20-031a>